Azure - create a custom chained token credential to place the AzureCL…

…ICredential prior to the ManagedIdentityCredential (#1009)
microsoft · Jul 3, 2024 · b6ccc05 · b6ccc05
1 parent 33daacd
commit b6ccc05
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 12 deletions.
diff --git a/src/auth.ts b/src/auth.ts
@@ -0,0 +1,24 @@
+import { AzureCliCredential, AzureDeveloperCliCredential, AzurePowerShellCredential, ChainedTokenCredential, EnvironmentCredential, ManagedIdentityCredential } from "@azure/identity";
+
+function createChainedTokenCredential(): ChainedTokenCredential {
+	return new ChainedTokenCredential(
+		new EnvironmentCredential(),
+		new AzureCliCredential(),
+		new ManagedIdentityCredential({ clientId: process.env.AZURE_CLIENT_ID }),
+		new AzurePowerShellCredential({ tenantId: process.env.AZURE_TENANT_ID }),
+		new AzureDeveloperCliCredential({ tenantId: process.env.AZURE_TENANT_ID })
+	);
+}
+
+export async function getAzureCredentialAccessToken(): Promise<string> {
+	try {
+		const credential = createChainedTokenCredential()
+		const token = await credential.getToken('499b84ac-1321-427f-aa17-267ca6975798/.default', {
+			tenantId: process.env.AZURE_TENANT_ID
+		});
+
+		return token.token;
+	} catch (error) {
+		throw new Error('Can not acquire a Microsoft Entra ID access token. Additional information:\n\n' + error)
+	}
+}
diff --git a/src/publish.ts b/src/publish.ts
@@ -5,14 +5,15 @@ import { ExtensionQueryFlags, PublishedExtension } from 'azure-devops-node-api/i
 import { pack, readManifest, versionBump, prepublish, signPackage, createSignatureArchive } from './package';
 import * as tmp from 'tmp';
 import { IVerifyPatOptions, getPublisher } from './store';
-import { getGalleryAPI, read, getPublishedUrl, log, getHubUrl, patchOptionsWithManifest, getAzureCredentialAccessToken } from './util';
+import { getGalleryAPI, read, getPublishedUrl, log, getHubUrl, patchOptionsWithManifest } from './util';
 import { Manifest } from './manifest';
 import { readVSIXPackage } from './zip';
 import { validatePublisher } from './validation';
 import { GalleryApi } from 'azure-devops-node-api/GalleryApi';
 import FormData from 'form-data';
 import { basename } from 'path';
 import { IterableBackoff, handleWhen, retry } from 'cockatiel';
+import { getAzureCredentialAccessToken } from './auth';
 
 const tmpName = promisify(tmp.tmpName);
 

diff --git a/src/util.ts b/src/util.ts
@@ -7,7 +7,6 @@ import { PublicGalleryAPI } from './publicgalleryapi';
 import { ISecurityRolesApi } from 'azure-devops-node-api/SecurityRolesApi';
 import { Manifest } from './manifest';
 import { EOL } from 'os';
-import { DefaultAzureCredential } from '@azure/identity';
 
 const __read = promisify<_read.Options, string>(_read);
 export function read(prompt: string, options: _read.Options = {}): Promise<string> {
@@ -51,16 +50,6 @@ export function getPublicGalleryAPI() {
 	return new PublicGalleryAPI(marketplaceUrl, '3.0-preview.1');
 }
 
-export async function getAzureCredentialAccessToken(): Promise<string> {
-	try {
-		const credential = new DefaultAzureCredential();
-		const token = await credential.getToken('499b84ac-1321-427f-aa17-267ca6975798/.default');
-		return token.token;
-	} catch (error) {
-		throw new Error('Can not acquire a Microsoft Entra ID access token. Additional information:\n\n' + error)
-	}
-}
-
 export function normalize(path: string): string {
 	return path.replace(/\\/g, '/');
 }